The granted risk profile is B

Argumentation: First, the dynamic of Business and IT are increasing, because of

they use a ERP system. An internet order is automatically transferred to the ERP
by a tailor-made interface. The ERP sends automatically information to the
customer and to the production department. Using of automatic IT software
have their own risks. (risk profile II (B)).
Secondly, the level automation is increasing. Many tasks are automated. The
process from making an order up to the production department goes
automatically. The logistic department have manual tasks to do. When the level
of automation is rising the IT risks are also increasing. (risk profile II (B)).
And as third argument; they use a website designed with Joomla. I red a article
about Joomla, that it is sensitive for phishing attacks. So using of a website
have risks. Outsiders can get sensitive data from the Foil company. The higher
the complexity and dynamics, the higher the risk.

They don't use cload computing, so they are not in the risk profile IV.
System Security Continuity Change
management
Financial Medium Low Medium
Logistic Low Low Medium
Web sales High Medium High
 Risk Risk impact Control ID Control

Please fill in all cells marked with dots ( …)

Change management
Changes made to applications are not High C01 Formal change management procedures that address change
authorised, valid and approved prior to being requests and approvals are formally documented .
placed into the Production environment.

C02 A procedure exists that requires technical impacts of program

change to be assessed prior to transfering to production.

C03 If emergency changes to programs or data must be

implemented, they are formally documented in a Production
Problem Report by the programmer that implemented the
change the following business day after the emergency change
was migrated into production.

Changes are moved into the production … C04 A procedure exists to ensure that system modifications are
environment that are not properly approved. transported to production environment only when validated by
process owner.
C05 …
Without proper documentation, efficiency and … C06 …
accuracy of data may be compromised.
 Risk Risk impact Control ID Control

User account access

Without adequate procedures for the creation
and maintenance of User IDs, identifying and
deleting terminated and transferred employees
there are no assurances that the system
accesses are authorised, appropriate and valid.
… C01 A user account management procedure is implemented that
clearly defines:
- user account creation / change requests
- rights assignments
- approval process
- user account acceptance
- termination procedures
- periodical reviews of access rights

C02 Formal communication occurs between HR and IT responsible

staff for prompt notification of terminated personnel.

C03 …
Users are not authenticated by the system and … C04 The user is required to enter a unique ID and password to
can make unauthorised changes to system, authenticate onWindows
programs and data.
C05 Generic IDs are not used in Exact
C06 Password constraints are enforced within Windows

Please fill in all cells marked with dots ( …)

 Risk Risk impact Control ID Control

Firewall settings
Unauthorised individuals from outside the High C01 Firewall setup is documented
company could gain access via the Internet to
the organizations computer systems and access
critical data or disrupt operations.

C02 All public servers are located on a screened subnet on a DMZ,

behind a firewall
C03 Firewall log review is performed on a daily basis and is part of
daily logbook of system administrator.
C04 A procedure is in place that requires all firewall changes to be
properly documented and authorised
C05 …

Please fill in all cells marked with dots ( …)

 Risk
Backup and recovery
Backups are not performed regularly,
adequately and in a timely manner, which can
cause a loss of critical data in case of a disaster
or major crash
Data cannot be restored from tape backup after High
a problem
In the event of a major computer malfunction High
or natural disaster , computer operations and
critical business functions are not recovered
properly in a timely manner
Risk impact Control ID Control
High C01 A backup procedure is availiable which includes:
- the frequency and time of making copies of data's (Manual or
automated?)
- How and where to store the copies, location. (Centralized or
decentralized?)
- The storage medium to use. (It depends on the data which is
required to make a backup).
C02 A backup log is monitored by system administrators. Detected
issues are properly escalated according to backup procedure
C03 The required maintenance of the backup system.
C04 A restore procedure is available which includes:
- The proces how to restore.
- Restore procedure checklist.
C05 A formal Disaster Recovery Plan is documented and applied
consistently. It clearly details:
- DRP Overview
- Server Shutdown/Restore Order with location
- Operating the critical applications and data required for the
DRP
- Provide workspace and required equipment
- All Contact info for decision makers
C06 Keep the DRP test plan current and sync it with business
changes.
It may requires updates after changes in: hardware, software,
applications.
Test to perform

Obtain change management procedures and related documentation. Verify

procedures by checking if they address:
- Change requests properly properly documented
- Change request sign-off is clearly established
Obtain existing procedures and adequate documentation related to technical
impacts assessment. Verify procedures and documentation effectiveness by
checking if technical impacts analysis and validation is clearly described.

…
…
Test to perform

…
…

…
…
Test to perform

Determine where all the Foil webserver is located and ensure that they are
located on screened subnet on a DMZ, behind a firewall.
…

…
Test to perform

Obtain the backup procedure and review his content for clear description of
when to make the copies, where to store and on which medium.

Inquire the backup operator whether he is aware of this procedure and if he

is in compliance with it.

Watch the backup log files daily.Then you can follow it and you are familiar
with the look when everything is working. So if things go wrong you were
prepared to pinpoint the nature of the problem immediately.

Cleaning the heads of the backup drive and chek if the media is stored on a
scratched part. Store on alternative location when testing.

Obtain the restore procedure and review his content for clear discription of
how to restore and test it.
Simulate a sample restore job once a time (monthly/weekly depends on the
risk)

Test the DR plan. Check the task plan chart and the timelines to validate the
effectiveness of current DRP.
Simulate the conditions of an actual Disaster Recovery situation.
Check the completeness of the disaster recovery information.`
Ensure the ability to recover the intented functions.

Check the last DRP testing

Ensure that the last testing has been performed during the current year
Ensure that the last testing is properly documented.
Ensure that test covers all critical business application (in scope applications)